Date: Wed, 20 Dec 2017 14:42:47 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 224485] [ipfw][dummynet] "REDZONE: Buffer overflow detected." after "ipfw pipe show" Message-ID: <bug-224485-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D224485 Bug ID: 224485 Summary: [ipfw][dummynet] "REDZONE: Buffer overflow detected." after "ipfw pipe show" Product: Base System Version: 11.1-STABLE Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: david@catwhisker.org Created attachment 188994 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D188994&action= =3Dedit This machine's kernel configuration file ("CANARY") Issuing "ipfw pipe show" yields the following (in /var/log/messages): Dec 20 14:15:30 g1-252 kernel: REDZONE: Buffer overflow detected. 16 bytes corrupted after 0xfffff801d9cc9f48 (328 bytes allocated). Dec 20 14:15:30 g1-252 kernel: Allocation backtrace: Dec 20 14:15:30 g1-252 kernel: #0 0xffffffff80d49299 at redzone_setup+0xe9 Dec 20 14:15:30 g1-252 kernel: #1 0xffffffff80a1175d at malloc+0x22d Dec 20 14:15:30 g1-252 kernel: #2 0xffffffff80c95e07 at dummynet_get+0x337 Dec 20 14:15:30 g1-252 kernel: #3 0xffffffff80ba4102 at rip_ctloutput+0x102 Dec 20 14:15:30 g1-252 kernel: #4 0xffffffff80ac2d9d at sogetopt+0xcd Dec 20 14:15:30 g1-252 kernel: #5 0xffffffff80ac756b at kern_getsockopt+0xdb Dec 20 14:15:30 g1-252 kernel: #6 0xffffffff80ac7462 at sys_getsockopt+0x52 Dec 20 14:15:30 g1-252 kernel: #7 0xffffffff80e3a66a at amd64_syscall+0xa6a Dec 20 14:15:30 g1-252 kernel: #8 0xffffffff80e1cedb at Xfast_syscall+0xfb Dec 20 14:15:30 g1-252 kernel: Free backtrace: Dec 20 14:15:30 g1-252 kernel: #0 0xffffffff80d49604 at redzone_check+0x304 Dec 20 14:15:30 g1-252 kernel: #1 0xffffffff80a117b6 at free+0x46 Dec 20 14:15:30 g1-252 kernel: #2 0xffffffff80c9623d at dummynet_get+0x76d Dec 20 14:15:30 g1-252 kernel: #3 0xffffffff80ba4102 at rip_ctloutput+0x102 Dec 20 14:15:30 g1-252 kernel: #4 0xffffffff80ac2d9d at sogetopt+0xcd Dec 20 14:15:30 g1-252 kernel: #5 0xffffffff80ac756b at kern_getsockopt+0xdb Dec 20 14:15:30 g1-252 kernel: #6 0xffffffff80ac7462 at sys_getsockopt+0x52 Dec 20 14:15:30 g1-252 kernel: #7 0xffffffff80e3a66a at amd64_syscall+0xa6a Dec 20 14:15:30 g1-252 kernel: #8 0xffffffff80e1cedb at Xfast_syscall+0xfb Similarly, "ipfw sched show" yields: Dec 20 14:15:43 g1-252 kernel: REDZONE: Buffer overflow detected. 16 bytes corrupted after 0xfffff80196cf9348 (328 bytes allocated). Dec 20 14:15:43 g1-252 kernel: Allocation backtrace: Dec 20 14:15:43 g1-252 kernel: #0 0xffffffff80d49299 at redzone_setup+0xe9 Dec 20 14:15:43 g1-252 kernel: #1 0xffffffff80a1175d at malloc+0x22d Dec 20 14:15:43 g1-252 kernel: #2 0xffffffff80c95e07 at dummynet_get+0x337 Dec 20 14:15:43 g1-252 kernel: #3 0xffffffff80ba4102 at rip_ctloutput+0x102 Dec 20 14:15:43 g1-252 kernel: #4 0xffffffff80ac2d9d at sogetopt+0xcd Dec 20 14:15:43 g1-252 kernel: #5 0xffffffff80ac756b at kern_getsockopt+0xdb Dec 20 14:15:43 g1-252 kernel: #6 0xffffffff80ac7462 at sys_getsockopt+0x52 Dec 20 14:15:43 g1-252 kernel: #7 0xffffffff80e3a66a at amd64_syscall+0xa6a Dec 20 14:15:43 g1-252 kernel: #8 0xffffffff80e1cedb at Xfast_syscall+0xfb Dec 20 14:15:43 g1-252 kernel: Free backtrace: Dec 20 14:15:43 g1-252 kernel: #0 0xffffffff80d49604 at redzone_check+0x304 Dec 20 14:15:43 g1-252 kernel: #1 0xffffffff80a117b6 at free+0x46 Dec 20 14:15:43 g1-252 kernel: #2 0xffffffff80c9623d at dummynet_get+0x76d Dec 20 14:15:43 g1-252 kernel: #3 0xffffffff80ba4102 at rip_ctloutput+0x102 Dec 20 14:15:43 g1-252 kernel: #4 0xffffffff80ac2d9d at sogetopt+0xcd Dec 20 14:15:43 g1-252 kernel: #5 0xffffffff80ac756b at kern_getsockopt+0xdb Dec 20 14:15:43 g1-252 kernel: #6 0xffffffff80ac7462 at sys_getsockopt+0x52 Dec 20 14:15:43 g1-252 kernel: #7 0xffffffff80e3a66a at amd64_syscall+0xa6a Dec 20 14:15:43 g1-252 kernel: #8 0xffffffff80e1cedb at Xfast_syscall+0xfb I note that "ipfw queue show" does NOT yield a whine. :-) This is running stable/11 on amd64: FreeBSD g1-252.catwhisker.org 11.1-STABLE FreeBSD 11.1-STABLE #485=20 r327021M/327021:1101506: Wed Dec 20 04:34:23 PST 2017=20=20=20=20 root@g1-252.catwhisker.org:/common/S1/obj/usr/src/sys/CANARY amd64 (Though a quick reality-check running head @r327017 on the same system (different slice; same hardware & same ipfw ruleset) yielded a similar whine for "ipfw pipe show".) Kernel modules loaded: g1-252(11.1-S)[3] kldstat=20 Id Refs Address Size Name 1 40 0xffffffff80200000 1e4cef8 kernel 2 1 0xffffffff8204e000 21e30 geom_eli.ko 3 3 0xffffffff82070000 ad1c8 linux.ko 4 4 0xffffffff8211e000 e208 linux_common.ko 5 1 0xffffffff8212d000 4d80 coretemp.ko 6 1 0xffffffff82132000 546d8 iwn5000fw.ko 7 1 0xffffffff82187000 e14658 nvidia.ko 8 1 0xffffffff82f9c000 e0a8 cuse.ko 9 1 0xffffffff82fab000 a268 filemon.ko 10 1 0xffffffff83211000 bbbf tmpfs.ko 11 1 0xffffffff8321d000 5bc8 fdescfs.ko 12 1 0xffffffff83223000 a8f2 linprocfs.ko 13 1 0xffffffff8322e000 3d133 linux64.ko 14 1 0xffffffff8326c000 78e rtc.ko g1-252(11.1-S)[4]=20 The kernel is based on GENERIC; has some devices I don't need on a laptop snipped out, and IPFIREWALL_DEFAULT_TO_ACCEPT is explicitly not enabled.=20 Current ipfw stuff: g1-252(11.1-S)[4] sudo ipfw show 00100 203030 21519482 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 84647 98610106 reass ip from any to any in 00500 0 0 allow ip from any to any via tun0 00600 0 0 allow ip from 172.17.1.252 to 172.17.1.252 00700 0 0 deny log ip from any to any ipoptions ssrr,lsrr,rr,ts 00800 0 0 deny log ip from table(1) to 172.17.1.252 00900 0 0 deny log ip from 172.17.1.252 to table(1) 01000 0 0 deny log ip from table(2) to 172.17.1.252 dst-port 22 01100 0 0 deny log ip from table(3) to 172.17.1.252 dst-port 80,443 01200 0 0 deny udp from any 135-139 to any 01300 0 0 deny udp from any to any dst-port 135-139 01400 0 0 deny tcp from any 135-139 to any 01500 0 0 deny tcp from any to any dst-port 135-139 01600 0 0 deny udp from any 445 to any 01700 0 0 deny udp from any to any dst-port 445 01800 0 0 deny tcp from any 445 to any 01900 0 0 deny tcp from any to any dst-port 445 02000 0 0 deny udp from any to any dst-port 631 02100 0 0 deny udp from any to any dst-port 1985 02200 0 0 deny udp from any to any dst-port 2222 02300 0 0 deny udp from any to any dst-port 5353 02400 0 0 deny ip from 224.0.0.0/4 to any 02500 0 0 deny ip from any to 224.0.0.0/4 02600 12 1008 skipto 60000 icmp from any to any icmptypes 0,3,4,8,11,12 02700 0 0 skipto 60000 udp from 172.17.1.252 68 to 172.17.0.1 dst-port 67 keep-state :default 02800 0 0 skipto 60000 udp from 172.17.0.1 67 to 172.17.1.252 dst-port 68 keep-state :default 02900 0 0 skipto 60000 udp from 172.17.1.252 68 to 172.17.0.1 dst-port 67 keep-state :default 03000 0 0 skipto 60000 udp from 172.17.0.1 67 to 172.17.1.252 dst-port 68 keep-state :default 03100 0 0 skipto 60000 udp from 172.17.1.252 to 172.17.255.255 dst-port 192 keep-state :default 03200 0 0 skipto 60000 udp from any 192 to 172.17.1.252 03300 0 0 skipto 60000 udp from 172.17.0.0/16 162 to 172.17.255.255 dst-port 162 keep-state :default 03400 0 0 deny ip from any to 172.17.255.255 03500 0 0 deny ip from 172.17.255.255 to any 03600 141401 103424861 skipto 60000 tcp from any to any established 03700 597 35820 skipto 60000 tcp from 172.17.1.252 to any setup 03800 0 0 skipto 60000 log tcp from any to any dst-port 22 set= up 03900 0 0 skipto 60000 log tcp from any to any dst-port 3690 s= etup 04000 0 0 skipto 60000 tcp from any to 172.17.1.252 dst-port 80 setup 04100 0 0 skipto 60000 tcp from any to 172.17.1.252 dst-port 4= 43 setup 04200 0 0 deny log tcp from any to any setup 04300 1331 246776 skipto 60000 udp from 172.17.1.252 to any dst-port 53 keep-state :default 04400 0 0 deny log udp from any to any dst-port 123 iplen 0-75 04500 184 13984 skipto 60000 udp from 172.17.1.252 to any dst-port 1= 23 keep-state :default 04600 0 0 skipto 60000 udp from any 123 to 255.255.255.255 dst-port 123 keep-state :default 04700 0 0 skipto 60000 udp from 172.17.1.252 to any keep-state :default 04800 0 0 deny log ip from any to any 60000 84617 98587266 allow ip from any to any in 60100 58908 5135183 queue 1 ip from any to any out 65535 1 340 deny ip from any to any g1-252(11.1-S)[5] sudo ipfw pipe show 00001: unlimited 0 ms burst 0=20 q131073 50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 dropt= ail sched 65537 type FIFO flags 0x0 0 buckets 0 active g1-252(11.1-S)[6] sudo ipfw sched show 00001: unlimited 0 ms burst 0=20 q65537 50 sl. 0 flows (1 buckets) sched 1 weight 0 lmax 0 pri 0 droptail sched 1 type FQ_CODEL flags 0x0 0 buckets 0 active FQ_CODEL target 5ms interval 100ms quantum 1514 limit 10240 flows 1024 ECN Children flowsets: 1=20 g1-252(11.1-S)[7] sudo ipfw queue show q00001 50 sl. 0 flows (1 buckets) sched 1 weight 0 lmax 0 pri 0 droptail g1-252(11.1-S)[8] This (REDZONE whine) is readily reproducible for me. I will attach a copy of the kernel configuration file ("CANARY"). --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-224485-8>